further refactor work

2026-02-09 12:29:19 -08:00 · 2023-11-19 11:00:57 -08:00 · 2023-11-19 11:00:57 -08:00 · befe6ea564
commit befe6ea564
parent eb4713ec37
32 changed files with 39 additions and 14 deletions
--- a/nixos/servers/matrix/nginx.nix
+++ b/nixos/servers/matrix/nginx.nix
@ -0,0 +1,23 @@
+{config, ...}: let
+  fqdn = "${config.networking.hostName}.${config.networking.domain}";
+in {
+  services.nginx = {
+    virtualHosts = {
+      "${fqdn}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations = {
+          "/".extraConfig = ''
+            return 404;
+          '';
+          "/_matrix".proxyPass = "http://[::1]:8008";
+          "/_synapse".proxyPass = "http://[::1]:8008";
+        };
+        extraConfig = ''
+          http2_max_requests 100000;
+          keepalive_requests 100000;
+        '';
+      };
+    };
+  };
+}
--- a/nixos/servers/matrix/scalpel.nix
+++ b/nixos/servers/matrix/scalpel.nix
@ -0,0 +1,21 @@
+{
+  lib,
+  config,
+  prev,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+  start = prev.config.systemd.services.matrix-synapse.serviceConfig.ExecStart;
+  synapse_cfgfile = builtins.head (builtins.match "^.*--config-path ([^\ ]*).*$" "${start}");
+in {
+  systemd.services.matrix-synapse.serviceConfig.ExecStart = mkForce (
+    builtins.replaceStrings ["${synapse_cfgfile}"] ["${config.scalpel.trafos."homeserver.yaml".destination} "] "${start}"
+  );
+  scalpel.trafos."homeserver.yaml" = {
+    source = synapse_cfgfile;
+    matchers."MATRIX_SHARED_REGISTRATION_SECRET".secret = config.sops.secrets.matrix_shared_registration_secret.path;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    mode = "0440";
+  };
+}
--- a/nixos/servers/matrix/secrets.nix
+++ b/nixos/servers/matrix/secrets.nix
@ -0,0 +1,10 @@
+_: {
+  sops.secrets.matrix_shared_registration_secret = {
+    format = "yaml";
+    sopsFile = ./secrets.yaml;
+  };
+
+  scalpels = [
+    ./scalpel.nix
+  ];
+}
--- a/nixos/servers/matrix/secrets.yaml
+++ b/nixos/servers/matrix/secrets.yaml
@ -0,0 +1,43 @@
+matrix_shared_registration_secret: ENC[AES256_GCM,data:DsCqfbS2yxN7nVRevcjpfO63jBUsyQHfEfbpZpD3cBtPf+JuZ8TFPBNNQwx2NYdyty60INdr4w==,iv:pSf6VDS9bqZIq8ZqOW0v4siRbDp9EEdw7TtSSjjrC6A=,tag:V61OqmdsNzczOzf+2Y6LSA==,type:str]
+api_id: ENC[AES256_GCM,data:z1FqOKDSG1uo4BYgt2Ct9cUUy/daSgMNCnOHsdhG0ocw7eNI,iv:2cpOFO0Fcv/Y2xj/5UErbZ9qiLtn0QUWUg12Z9z/Ug4=,tag:cYEgrUM8GJ+uGNXKz4GpdQ==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaTgyQVhRZHRPTzRSNW9Y
+            SmRFVXl2TTV3RWF3QUlneDl4ZFFvS0ZHREVBCnNxUEdwRS9ObEZKNTM2dHAxRlhS
+            M0R5TithU0ViZUc0NHFHM3JrdE13V0kKLS0tIFhFZ2dZc21hL2RtNzZ0djVqUjlD
+            eWdDbGxobFlkZG1SL3UrTEJXajU3RXMK9ULFsUDHxBtzCy5tbwSFeKm18TRjX1mO
+            B1SbGXUNG1XreeRpb5n7r01njVrPpbJI3DPtjvoKquNTc2BhZHi0Xg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-29T18:54:02Z"
+    mac: ENC[AES256_GCM,data:fJdeN80RbQ3wq9udQt/XA7XlvhT+y9gR8z38t2l5P9vnyfqlxEiyfPIdFO8p01ZW3HZFVMessx2ev469LTMXcvf3Ln+L/dopSzZm7L4IRx2EvLYN2PbrZ86/AhgI/CEWyYX/xEMdwxZFR08KNBIMfu161YeDGDgPeevbRpCWkRA=,iv:kY59Y+wN2ZbGFDFOGplFzWpgW0OG+RBcTfucpZNyjq0=,tag:4vPdTfw0lEr5+fH/ACqSuQ==,type:str]
+    pgp:
+        - created_at: "2023-04-25T21:47:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UARAAvW2vHtvnKwV0K6b01vK/6T5SnJERlDfTKLpv3sLYlii8
+            FysxBaODgYvnR37/hf2CoWRlYFYZt7wqj811vUMkayBey9FY8nj1k0t5wyM0T1AU
+            qFz5fBCjP6tyhk2RBkWCLVfnLUvhnN7h/XIc3W/05VnIMQF39SbXIQ2gfqnI7R6V
+            keLoHXT0DBwboFVTdA9HjSFc5riEY+fadQf0PZT/xVCTCJH4yeZ/ba6pa/9yX2PU
+            UbHqnoR+M7RkQBrFn0r4nH9r3jFR0VkGri20v9IIby59wkCPVdhX7VPBRtQm0xXN
+            /EqtLMsR+U5bOPvKPM0s2BXXrTTACmsJ9AN2n70l1Sm6/5E3QoTQ7lbH5qSv/wXT
+            ZUkZmqxv3OHJIez2VHqjW6vlraPDL++H/4rsX3DBvK0BSAtr53r9KFoMwgMnMj2N
+            ucX+Sa7ZiI8vXGn3rjfj68Kc0BqzrFgpY8ZrH1RM3weGrsyAugAP4iunnqjYhxrc
+            y2Hh2NZFyRBGTCrbxAr6vJ3MJXLlyNbofPi9Bnx0clI83ksju11rZjb9yFRCLJ+/
+            oRxws+jq7t/lbMVhKaVQjY0LVLn6MCFbb5j5ulQXq9qiv1x+XuRTiPyPJksIiJDE
+            vjf7dMshIooWVNoECWfilEdVCldnYEmxEgr7gZHcTpgDjgeY3fCVvAS7SfD/BDfS
+            XgFw8C3nv2I9zHZZCI0XKFlmNU/MCBOfyK7mHv6UZtUx1YC2lw783R1uGHXZbVu4
+            iPKkytzxgOZms45CfxL3xEPTwO2lZL9GTCZ8pMbwB1jjP1bsH8nyro8vRZRuVoo=
+            =4YT5
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/nixos/servers/matrix/synapse.nix
+++ b/nixos/servers/matrix/synapse.nix
@ -0,0 +1,85 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+  fqdn = "${config.networking.hostName}.${config.networking.domain}";
+in {
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "kittywit.ch";
+      max_upload_size = "512M";
+      rc_messages_per_second = mkDefault 0.1;
+      rc_message_burst_count = mkDefault 25;
+      public_baseurl = "https://${fqdn}";
+      url_preview_enabled = true;
+      enable_registration = false;
+      enable_metrics = true;
+      report_stats = false;
+      dynamic_thumbnails = true;
+      registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!";
+      allow_guest_access = true;
+      suppress_key_server_warning = true;
+      log_config = pkgs.writeText "nya.yaml" ''
+        version: 1
+        formatters:
+          precise:
+            format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+        filters:
+          context:
+            (): synapse.util.logcontext.LoggingContextFilter
+            request: ""
+        handlers:
+          console:
+            class: logging.StreamHandler
+            formatter: precise
+            filters: [context]
+        loggers:
+          synapse:
+            level: WARNING
+          synapse.storage.SQL:
+            # beware: increasing this to DEBUG will make synapse log sensitive
+            # information such as access tokens.
+            level: WARNING
+        root:
+          level: WARNING
+          handlers: [console]
+      '';
+      listeners = [
+        {
+          port = 8009;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["metrics"];
+              compress = true;
+            }
+          ];
+        }
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    synapse-cleanup
+  ];
+}